Does GDPR apply to me? What North American organizations need to know

Both before and after the EU’s GDPR (General Data Protection Regulation) May 25 implementation date, organizations across the globe have scrambled to understand the full impact of the Regulation on them. The cost of non-compliance can be onerous.

But compliance is also daunting, especially for organizations outside the EU that may be unfamiliar with the legal foundation the GDPR was built on. Given the lack of clarity surrounding the GDPR’s jurisdictional scope (and the ability of EU regulators to enforce penalties overseas), many organizations are wondering: Does all this even apply to me?

GDPR jurisdiction and scope, Article 3 of the GDPR deals with the Regulation’s territorial scope, which has been widely discussed. In short, if you are offering goods and services to, or monitoring the behavior of, EU residents, the GDPR applies to your organization.

OK, so?

The criteria listed above may make the GDPR’s jurisdictional scope seem obvious to some organizations, but it may be more difficult for others. In the modern economy, organizations can process customer data from a variety of hosted locations. Similarly, potential customers can come across your platform from anywhere in the world. Depending on your system setup, you may be capturing a great deal of personal data in the process.

But what if you are not located in the EU, and you are not targeting EU residents as potential customers/users of your product or service?

The GDPR lives on in spirit

Even if the GDPR does not technically apply to your organization, it’s highly likely that a similar law does apply. Data privacy compliance should undoubtedly appear on your organization’s risk governance roadmap, whether for the GDPR, some local law, or an industry requirement such as ISO 27001.

In addition, the benchmark the GDPR sets for privacy compliance practically serves as an international standard. During summer 2018, a variety of other countries drafted data privacy legislation that mirror critical elements of the GDPR. For example:

  • Brazil’s Federal Senate approved a Data Protection Bill with requirements around appointing a DPO (data protection officer), establishing a legal basis for processing personal data, and emphasizing privacy by design
  • Kenya’s government is working on a data protection bill that may require entities to obtain data subjects’ consent before collecting and processing their personal data
  • India’s Supreme Court recognized the right of privacy as fundamental, and the government subsequently issued a draft bill that would require appointments of DPOs, along with establishing limitations on data retention and the processing of sensitive personal data
  • Lawmakers in California, the economic epicenter of US technology companies, passed the California Consumer Privacy Act, which expands the definition of personal information (especially when compared to other US state laws) to include Internet activity information. It also confers certain new rights on consumers, including a “right to know” what data about them is being processed, and opportunities for opting out of processing or the outright deletion of data (one of the more technically contentious points of the GDPR).
  • The EU agreed an “adequacy decision” with Japan, which means both recognize each other’s data protection legislation as affording equivalent levels of protection. Japan modified its Act on the Protection of Personal Information in May 2017, and the law aligns with the GDPR on things such as the purpose limitation for processing, rights of access to processed data, and complaint mechanisms to investigate and resolve reports related to data processing.

Legislators in the US are also considering a federal data privacy law to help establish comprehensive guidance at the country level, as opposed to the current patchwork of state laws.

What now?

Regardless of where you operate, you will likely feel the effects of the GDPR, directly or indirectly. If the GDPR directly applies, you should already be working on your organization’s compliance efforts. For more advice on how to tackle GDPR compliance, check out our blog post GDPR compliance – where to start”.

If the GDPR does not directly apply, other laws may. As noted above, these other laws may be similar to the GDPR in practice and effect. Proactive organizations are already positioning themselves as industry leaders on privacy and personal data, so consider this an opportunity to gain a competitive advantage. Consider our steps for compliance as a launching point for any reviews by your risk management team, or other GDPR implementation guidance. You may also want to consider adopting programmatic models based on existing privacy compliance frameworks that help address data and privacy issues holistically as an enterprise, rather than dealing with each day’s new legal developments.